Systems, methods, and apparatuses for comparing firewall policies are described. In one aspect, a system includes a first gateway configured to implement a first firewall having a first policy, a second gateway configured to implement a second firewall having a second policy, and a computing device configured to compare the first policy with the second policy to determine whether the first policy matches the second policy. The first firewall and the second firewall may be implemented with different technologies and/or on different platforms. The computing device may operate as, or execute, a firewall comparison tool to parse raw firewall configuration data from the different firewalls and generate data structures with a common format so that the firewall policies may be compared.
Legal claims defining the scope of protection. Each claim is shown in both the original legal language and a plain English translation.
1. A system, comprising: a first gateway configured to implement a first firewall having a first policy; a second gateway configured to implement a second firewall having a second policy; a computing device comprising a network interface and configured to: generate a listing of firewall policies of the system to compare; provide, through a web portal, a first selectable object configured to allow a user to select the first policy from the listing of firewall policies and a second selectable object configured to allow the user to select the second policy from the listing of firewall policies; receive, through the web portal, selections of the first policy and the second policy; receive, from the first gateway, first configuration data of the first firewall; receive, from the second gateway, second configuration data of the second firewall; compare the first policy with the second policy based on the first configuration data and the second configuration data by at least: comparing a source field, a destination field, and a service field of a first rule of the first policy respectively with a source field, a destination field, and a service field of a first rule of the second policy; determining a percentage of object properties associated with the service field of the first rule of the first policy that match object properties associated with the service field of the first rule of the second policy; and in response to determining that the percentage is greater than a predetermined threshold, determining that the first rule of the first policy matches the first rule of the second policy; determine a score indicating a degree to which the first policy matches the second policy, wherein the score is at least based on a first score indicating a degree to which the source field, the destination field, and the service field of the first rule of the first policy respectively match the source field, the destination field, and the service field of the first rule of the second policy and based on a second score indicating a degree to which a source field, a destination field, and a service field of a second rule of the first policy respectively match a source field, a destination field, and a service field of a second rule of the second policy; and a display configured to display the score.
A system compares firewall policies between two firewalls implemented on different gateways. It features a web portal where a user selects two policies to compare. The system retrieves configuration data from both firewalls, then compares corresponding rules (source, destination, service). For service fields, it calculates the percentage of matching object properties. If the percentage exceeds a threshold, the rules are considered a match. The system then calculates an overall match score, based on matching rules in the two policies and displays this score via a display.
2. The system of claim 1 , wherein the computing device is further configured to: parse the first configuration data and the second configuration data, the second configuration data having a format different from a format of the first configuration data; generate a first data structure, comprising the first configuration data; and generate a second data structure, comprising the second configuration data, the first data structure and the second data structure having a common format.
The system from the previous firewall policy comparison description also includes a parsing mechanism to handle different configuration data formats from different firewalls. It converts the raw configuration data from each firewall into a common data structure format. This allows the system to uniformly compare firewall policies even when the underlying firewalls use different technologies or platforms, thus enabling the common comparison.
3. The system of claim 1 , wherein the first firewall protects a first subsystem, comprising a first data center for a first geographical location, and the second firewall protects a second subsystem, comprising a second data center for a second geographical location.
The system from the initial firewall comparison description has firewalls protecting different geographical locations. The first firewall protects a data center in a first location, and the second firewall protects a data center in a second location. This allows for comparing security policies between different physical sites to ensure consistency.
4. The system of claim 1 , wherein the first score is at least based on a degree to which object properties of the first rule of the first policy match object properties of the first rule of the second policy.
In the firewall policy comparison system described earlier, the calculated rule scores consider how well the object properties within the corresponding rule fields match. For example, it considers the degree to which the source IP addresses or destination ports in the respective rules match. This degree of matching of object properties contributes to the score for that rule.
5. The system of claim 4 , wherein the score is an average of a plurality of rule scores comprising the first score and the second score.
Continuing with the system that compares firewall policies, the overall score indicating the degree to which two firewall policies match is calculated as an average of the individual rule scores. Rule scores reflect the similarity between corresponding rules in the two firewall policies. By averaging these rule scores, the system provides a single metric representing the overall similarity of the two firewall policies.
6. The system of claim 1 , wherein the computing device is configured to determine whether an object property of any objects of a particular field of the first rule of the first policy matches an object property of any objects of a corresponding field of the first rule of the second policy.
Further elaborating on the firewall policy comparison system, when comparing rules, the system checks if any object within a particular field (source, destination, service) in a rule of the first policy matches any object within the corresponding field in the rule of the second policy. This allows the system to identify partial matches, enhancing the accuracy of the comparison.
7. The system of claim 1 , wherein the computing device is further configured to output a report identifying a reason that the first policy and the second policy are not an exact match.
The firewall comparison system described earlier provides a report explaining any differences it finds between two compared firewall policies. If the policies aren't an exact match, the report identifies specific reasons for the mismatch, such as differing rules or object properties, aiding in troubleshooting inconsistencies.
8. The system of claim 1 , wherein the computing device is further configured to provide, through the web portal, results of the comparison of the first policy with the second policy.
The system described for comparing firewall policies displays the results of the comparison through the web portal. This allows a user to view the match score and any identified differences between the compared policies.
9. The system of claim 1 , wherein the determining that the first rule of the first policy matches the first rule of the second policy is responsive to: determining a second percentage of object properties associated with the source field of the first rule of the first policy that match object properties associated with the source field of the first rule of the second policy; and determining that the second percentage is greater than a second predetermined threshold.
In the process of comparing two firewall rules, the determination of whether a rule in the first policy matches the corresponding rule in the second policy is dependent on comparing multiple fields. Specifically, the percentage of matching object properties within the *source* field is checked. If this percentage exceeds a pre-defined threshold, it contributes to the determination of a rule match.
10. The system of claim 9 , wherein the determining that the first rule of the first policy matches the first rule of the second policy is responsive to: determining a third percentage of object properties associated with the destination field of the first rule of the first policy that match object properties associated with the destination field of the first rule of the second policy; and determining that the third percentage is greater than a third predetermined threshold.
Building upon the previous claim regarding source field comparison, the rule matching process also considers the *destination* field. A percentage of matching object properties within the destination field is calculated. If this percentage exceeds a threshold, it further confirms that the two rules match. Therefore, matching source and destination fields, along with the service field (as described in Claim 1), are factors.
11. A non-transitory computer-readable storage medium storing computer-executable instructions that, when executed by a computing device, cause the computing device to: generate a listing of firewall policies to compare; provide, through a web portal, a first selectable object configured to allow a user to select a first policy from the listing of firewall policies and a second selectable object configured to allow the user to select a second policy from the listing of firewall policies; receive, through the web portal, selections of the first policy and the second policy; receive, from a first gateway, first configuration data of a first firewall having the first policy; receive, from a second gateway, second configuration data of a second firewall having the second policy; compare the first policy with the second policy based on the first configuration data and the second configuration data by at least: comparing a source field, a destination field, and a service field of a first rule of the first policy respectively with a source field, a destination field, and a service field of a first rule of the second policy; determining a percentage of object properties associated with the service field of the first rule of the first policy that match object properties associated with the service field of the first rule of the second policy; and in response to determining that the percentage is greater than a predetermined threshold, determining that the first rule of the first policy matches the first rule of the second policy; determine a score indicating a degree to which the first policy matches the second policy, wherein the score is at least based on a first score indicating a degree to which the source field, the destination field, and the service field of the first rule of the first policy respectively match the source field, the destination field, and the service field of the first rule of the second policy and based on a second score indicating a degree to which a source field, a destination field, and a service field of a second rule of the first policy respectively match a source field, a destination field, and a service field of a second rule of the second policy; and output the score for display.
A software program stored on a computer-readable medium compares firewall policies. The program presents a web portal allowing users to select two policies for comparison. It retrieves configuration data from firewalls associated with these policies and compares the policies by examining corresponding rules, focusing on source, destination, and service fields. It calculates a percentage of matching object properties for the service fields and if this exceeds a threshold, considers the rules a match. The program generates and outputs a score reflecting the overall degree of policy similarity for display.
12. The non-transitory computer-readable storage medium of claim 11 , wherein the second configuration data has a different format from a format of the first configuration data, and wherein the computer-executable instructions, when executed, further cause the computing device to: parse the first configuration data and the second configuration data; generate a first data structure, comprising the first configuration data; and generate a second data structure, comprising the second configuration data, the first data structure and the second data structure having a common format.
The software program for firewall policy comparison, stored on a computer-readable medium, handles varying configuration data formats. It parses the configuration data from the firewalls and transforms them into a common data structure, thus enabling uniform comparison regardless of the underlying firewall technology. This allows comparison of policies from firewalls with different configurations and technologies.
13. The non-transitory computer-readable storage medium of claim 11 , wherein the computer-executable instructions, when executed, further cause the computing device to: determine the first score based on a degree to which object properties of the first rule of the first policy match object properties of the first rule of the second policy.
The software program on a computer-readable medium that compares firewall policies calculates the rule matching scores based on the degree to which the object properties of corresponding rules match. So, a higher degree of similarity in object properties results in a higher rule score, and contributes to the final overall score for policy similarity.
14. The non-transitory computer-readable storage medium of claim 11 , wherein the computer-executable instructions, when executed, further cause the computing device to: determine the first score based on a number of object properties of the first rule of the first policy that match object properties of the first rule of the second policy.
Continuing on the firewall comparison software, the degree of similarity between two rules is computed by counting the *number* of object properties which match between a rule in the first firewall and the corresponding rule in the second firewall. This is in contrast to, but related to, claim 13, which focuses on the *degree* of similarity.
15. The non-transitory computer-readable storage medium of claim 11 , wherein the computer-executable instructions, when executed, further cause the computing device to: determine an average of a plurality of rule scores, comprising the first score and the second score, to determine the score.
The firewall policy comparison software, stored on a computer-readable medium, calculates an overall match score by averaging the individual rule scores. The overall score represents the average match between different rules within the two firewalls.
16. The non-transitory computer-readable storage medium of claim 11 , wherein the determining that the first rule of the first policy matches the first rule of the second policy is responsive to: determining a second percentage of object properties associated with the source field of the first rule of the first policy that match object properties associated with the source field of the first rule of the second policy; and determining that the second percentage is greater than a second predetermined threshold.
The software program for firewall policy comparison determines rule matching by looking at a percentage of matching source object properties, as well as service object properties. Only if this source property percentage exceeds a defined threshold, does that contribute to the determination of a rule match.
17. A method, comprising: generating a listing of firewall policies to compare; providing, through a web portal, a first selectable object configured to allow a user to select a first policy from the listing of firewall policies and a second selectable object configured to allow the user to select a second policy from the listing of firewall policies; receiving, through the web portal, selections of the first policy and the second policy; receiving, from a first gateway by a computing device, first configuration data of a first firewall having the first policy; receiving, from a second gateway by the computing device, second configuration data of a second firewall having the second policy; and comparing, by the computing device, the first policy with the second policy based on the first configuration data and the second configuration data, wherein the comparing comprises: comparing a source field, a destination field, and a service field of a first rule of the first policy respectively with a source field, a destination field, and a service field of a first rule of the second policy; determining a percentage of object properties associated with the service field of the first rule of the first policy that match object properties associated with the service field of the first rule of the second policy; and in response to determining that the percentage is greater than a predetermined threshold, determining that the first rule of the first policy matches the first rule of the second policy; determining a score indicating a degree to which the first policy matches the second policy, wherein the score is at least based on a first score indicating a degree to which the source field, the destination field, and the service field of the first rule of the first policy respectively match the source field, the destination field, and the service field of the first rule of the second policy and based on a second score indicating a degree to which a source field, a destination field, and a service field of a second rule of the first policy respectively match a source field, a destination field, and a service field of a second rule of the second policy; and outputting, by the computing device via an output device, the score.
A method for comparing firewall policies involves generating a listing of available policies and allowing users to select two via a web portal. Configuration data for the selected policies is retrieved from the respective firewalls. The policies are then compared by comparing corresponding rules focusing on source, destination, and service fields. It determines a percentage of matching service object properties. If this percentage exceeds a threshold, the rules are considered a match. A score reflecting the overall policy similarity is calculated and displayed.
18. The method of claim 17 , further comprising: parsing the first configuration data and the second configuration data; generating a first data structure, comprising the first configuration data; generating a second data structure, comprising the second configuration data, the first data structure and the second data structure having a common format; and outputting, via the web portal, the score and an explanation identifying objects of the first rule of the first policy that do not match objects of the first rule of the second policy, wherein the first firewall is implemented on a different platform from that of the second firewall.
Building on the previous firewall comparison method, the process includes parsing the different firewall configuration formats and converting them to a common data structure. The method then outputs an explanation of any mismatches between the policies, highlighting specific objects that differ. This feature helps understand why two policies don't perfectly match, where the firewalls are from different vendors or platforms.
19. The method of claim 17 , wherein the determining the score comprises: determining an average of a plurality of rule scores, comprising the first score and the second score, to determine the score.
Continuing with the firewall comparison method, the overall match score is determined by averaging the scores from individual rule comparisons. This results in a single score indicating overall firewall policy similarity.
20. The method of claim 17 , wherein the determining that the first rule of the first policy matches the first rule of the second policy is responsive to: determining a second percentage of object properties associated with the source field of the first rule of the first policy that match object properties associated with the source field of the first rule of the second policy; and determining that the second percentage is greater than a second predetermined threshold.
In the firewall comparison method, when determining if rules match, a percentage of matching object properties within the *source* field is considered, in addition to the service field, as per claim 17. If this percentage of source field matching exceeds a defined threshold, it contributes to determining whether the rules overall are considered a match.
Cooperative Patent Classification codes for this invention. Click any code to explore related patents in that topic.
June 4, 2014
May 30, 2017
Browse 5M+ US patents with plain-English claim translations and AI-generated analysis.